Created
April 28, 2011 16:33
-
-
Save ukd1/946708 to your computer and use it in GitHub Desktop.
Generate a simple report of attacks on your servers from Graylog2 data using MapReduce (now requires MongoDB driver >= 1.2)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* A quick & dirty script that outputs a list of possible attacking IP address, | |
* per host with a total count. | |
* | |
* Tweak the "THE_QUERY" constant to suit your environment - we use Debian & Ubuntu | |
* | |
* @author Russell Smith <russell.smith@ukd1.co.uk> | |
* @copyright UKD1 Limited, 2011 | |
* @license ISC license | |
*/ | |
/** | |
* The name of your graylog2 database | |
*/ | |
define('GRAYLOG2_DB', 'graylog2'); | |
/** | |
* The query to match against | |
*/ | |
define('THE_QUERY', '/.+ssh.+(failed\ password|authentication\ failure|possible\ break\-in\ attempt|invalid\ user).+/i'); | |
// Connect to MongoDB (default host - i.e. localhost) | |
$mongo = new Mongo(); | |
// Select the configured database | |
$db = $mongo->selectDB(GRAYLOG2_DB); | |
// Map function - do a regex on the message and extract the first IP we come across | |
$map = new MongoCode('function () { | |
var re = new RegExp(/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/); | |
var rs = re.exec(this.message); | |
if (rs == null) { | |
emit("Oddly no ip found", 1); | |
} else { | |
emit(rs[0] + "," + this.host,1); | |
} | |
}'); | |
// Output the length of the array passed in (as we emit 1 per IP) | |
$reduce = new MongoCode("function (k, v_arr) { | |
return v_arr.length; | |
}"); | |
// Execute the MapReduce | |
$failed_logins = $db->command(array( | |
"mapreduce" => "messages", | |
"map" => $map, | |
"reduce" => $reduce, | |
"out" => "failed_logins", | |
"query" => array("message" => new MongoRegex(THE_QUERY)) | |
), array('timeout' => 0)); | |
// Get the results, sorted by the most attempts | |
$fails = $db->selectCollection($failed_logins['result'])->find()->sort(array('value'=>-1)); | |
// Output in a CSV style! | |
foreach ($fails as $fail) | |
{ | |
print "\n" . $fail['_id'] . ',' . $fail['value']; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment